More Action Needed to Safeguard U.S. Maritime Ports from Cyber Attacks, GAO Says

Wednesday, June 11, 2014

Sandler, Travis & Rosenberg Trade Report

The Government Accountability Office recently released a report calling on the Department of Homeland Security to take additional steps to safeguard the information and communication systems that support maritime port operations against potential cyber attacks. The report notes that U.S. maritime ports handle more than $1.3 trillion in cargo annually and that failures in their information and communication systems could degrade or interrupt port operations, including the flow of commerce.

According to the report, actions taken by DHS and other federal agencies to address cybersecurity in the maritime port environment have been limited. The Coast Guard initiated a number of activities and coordinating strategies to improve physical security in specific ports but has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities and consequences. Maritime security plans required by law and regulation generally have not identified or addressed potential cyber-related threats or vulnerabilities, and while the Coast Guard expects to update its guidance for developing such plans this year to include cybersecurity requirements, the GAO is concerned that in the absence of a comprehensive risk assessment the revised guidance may not adequately address cyber-related risks to the maritime environment. The report further notes the varying degree to which information-sharing mechanisms such as councils have been active and shared cybersecurity-related information. Finally, while the Federal Emergency Management Agency has made projects aimed at enhancing cybersecurity one of its funding priorities through the Port Security Grant Program, it has not developed procedures to instruct grant reviewers to consult cybersecurity-related subject matter experts and use the results of a risk assessment that identifies any cyber-related threats and vulnerabilities.

The report includes an appendix summarizing the cybersecurity-related actions taken by other federal agencies related to the maritime port environment. These include the Customs-Trade Partnership Against Terrorism, under which U.S. Customs and Border Protection has issued minimum security criteria for U.S.-based marine port authority and terminal operators that include information technology security practices such as password protection, establishment of information technology security policies, employee training on information technology security, and developing a system to identify information technology abuse that includes improper access. Also listed are efforts by the Secret Service to evaluate cyber-related vulnerabilities in Los Angeles/Long Beach and Houston, a national cybersecurity framework developed by the National Institute of Standards and Technology (though it does not include any specific standards related to the cybersecurity of maritime facilities and one maritime entity said it did not communicate at a level helpful for business executives), and the development by DHS and the Department of Transportation of a cybersecurity standards strategy that identified tasks for developing standards for port industrial control systems starting in 2015 (though funding for this project was terminated due to sequestration).

The GAO recommends that DHS direct the Coast Guard to ensure that its maritime risk assessment includes assess cyber-related threats, vulnerabilities and potential consequences; use this assessment to inform how guidance for area maritime security plans, facility security plans and other security-related planning should address cyber-related risks for the maritime sector; and work with federal and non-federal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished. DHS said the Coast Guard is already working on the first two items and will continue to promote the reestablishment of the coordinating council. The GAO also said that DHS should direct FEMA to (a) develop procedures for officials at the field review and national review levels to consult cybersecurity subject matter experts during the review of cybersecurity grant proposals for funding (which FEMA said it will do by the end of October) and (b) use any information on cyber-related threats, vulnerabilities and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews (which FEMA said it will do in the updated guidance scheduled for publication in the first half of fiscal year 2015).